Enterprise network security 101: Make the most out of your investments in SIEM

With the rising number of devices and services in the network organizations face the problem where requirements of ensuring security and smooth operations goes far beyond human capabilities. SIEM would solve the problem you think. But this answer is just not good enough. Let’s see how we can do better.

Some 15 years ago, only SNMP and Firewall was all you needed to have the network under control. It becomes more obvious, that such a toolset does not provide adequate level of capabilities to unravel modern attacks (advanced malware, targeted attacks, …) or to troubleshoot root-causes of the current operational issues. Both leading to expensive service outages and loss of company productivity.

With evergrowing requirements on services provided through network (both in-house and cloud based) number of tools and people needed to maintain and ensure availability keeps rising tremendously. Whoever doesn’t follow up the latest trends ends up having their network being more of a blackbox, hostile environment with no rules and order. And again, the company keeps losing money.

If you are asking why am I mixing up security and operations together, think about this: If a robber breaks into your house and bypasses your alarm (representing preventive tool, such as Firewall), you need to have a camera system (visibility, or as in our case Network Performance Monitoring and Diagnostics) and automatic detection system (or as in our case Network Behavior Analysis), to be able to say that someone broke in. Or to say how were they able to do it and what are the casualties. In fact, Neil MacDonald, VP distinguished Analyst at Gartner Security & Risk Management Summit, says that deep network visibility should be at the core of all next-generation security platforms. That said, visibility and security come hand in hand and are ineffective without the other.

There is and there will never be a single solution for all such problems. One, which is the closest of them all is a SIEM (Security information and event management) though. SIEM is effectively an event aggregator with advanced intelligence correlating inputs from variety of systems across the network, providing single point of focus for network insight which is why it is so widely used in Security Operation Centers. IBM QRadar, representing one of the most commonly used SIEMs in the world, comes even with an in-build incident response power.

Figure 1: Flowmon & SIEM solution

Despite how advanced the SIEM is, it is always just as strong as data sources streaming events into it. Vast range of organizations do not consider this ugly truth and deploy SIEM to be able to check all items in their list of to-do-to-comply-with-regulatory-on-cybersecurity. And the company keeps losing money - and this time not only because they are lacking on in-house toolset, but also by investing into reasonable technology and not using it’s a whole potential.

So how does Flowmon come into the game?

Flowmon helps to excessively reduce mean-time-to-resolve by providing deep network visibility, detecting and alerting on operational and security issues that bypassed traditional preventive solutions. Furthermore it helps to respond and carry out remedial actions as quick as possible. The expertise we’ve gained over past 15 years helped us to become the only vendor globally recognized by both Netflow/IPFIX and Network Behavior Analysis related Gartner’s reports. We represent the precious insight into data network and an ultimate artificial intelligence with ability to detect suspicious behavior. This is conducted using machine learning, adaptive baselining and advanced heuristics. Flowmon is the missing link, the missing source of data for QRadar which as a bundle represents all-in-one solution to prevent, detect and to respond to security/operational incidents.

Flowmon ADS Integration with IBM QRadar

Integration of Flowmon ADS with IBM QRadar is done via easy-to-install software package. Once the package is installed, the SIEM system is informed by Flowmon ADS about detected anomalies. Security events are exported in a standard CEF file format delivered in form of syslog message. Flowmon allows for a seamless integration with literally any SIEM system out there using this standardized protocol of Syslog, that is supported by all vendors of event management tools. Thanks to the integration, user can enter Flowmon directly from context menu of QRadar for deeper investigation of an incident.

For more information on the integration with IBM QRadar can be found on the following link.

Figure 2: Flowmon ADS

Use-case: Detection of malware and response to the threat

A salesman, let’s call him Bob, spends a week abroad on a business trip and connects to any open WIFI around to be able to answer a few emails. When Bob finally reaches back to his office, things look just the same as always only that his laptop is now compromised with a malware. Antivirus that Bob had pre-installed when he got his laptop is all nice and green as it hasn’t failed to update its database with signatures of known malicious codes in months. Despite how green is the color of his AV, the malware remained undetected as there is no signature for such a new type of attack. Bob’s company’s perimeter security of Next-Generation firewall could also not pick up the threat as the code never came through this point in the network. The organization had a budget to purchase SIEM system last year and were happy to forge their ultimate security. Though the malware skipped under the SIEM’s radar as there were no major configuration changes made to the laptop that could be detected from device logs. Fortunately for Bob and the whole company, they had the “camera system” of Flowmon, that tracked every single communication. Flowmon, using its AI it was able to detect that Bob’s laptop misused DNS protocol to exfiltrate precious customer data outside to an attacker. Flowmon then alerted SIEM which luckily correlated more events from Flowmon and found out that the malware was able to spread across a few more stations around. This is the first moment when Bob noticed any change as he and his few colleagues have lost connectivity to the network. Remedial action performed by the SIEM was to isolate infected stations from the network so that the malware will not continue spreading, which gave more time to administrators to fix the problem. Re-running of antivirus didn’t help so administrators decided to refresh those laptop systems by swiping off all data and re-installing system from scratch.

Storage, servers, applications, virtual environments, active devices, end stations. All these and more report on their state by sending logs. Although just because server indicates it’s not running out of resources, it doesn’t mean users don’t experience errors and long responses caused by an internal attack or just simply wrong configuration. Other logs is what we need to identify a root cause but for the other, big portion of problems we have network monitoring. And network doesn’t lie. It provides an undeniable evidence of quality of service that the system provides to users.

The number of critical systems is too high to be maintained separately and SIEM reduces costs on number and seniority of people maintaining those technologies. Flowmon is a central brain of network/security operations, providing the right level of detail, ease of use and flexibility that is very precious to see what’s happening between such systems in the network. Only by combining SIEM and Flowmon we can make sure we can effectively prevent, detect, troubleshoot and respond to downtimes, low performance and wrong configuration, that are very hard or impossible to sort out with traditional approaches.

When we talk about the business value of a tool or a system that (at first point) may seem like a “nice to have” or “helpful but not absolutely necessary” technology or system, it is good idea to start this discussion...